Somebody who registered on one of my sites received their user name and password by email as per usual, but he said that sending an unsecured email containing both the user ID and Password in the same email is a clear security lapse.
I think his concern is that somebody will hack into his email and use this info. How possible is that? Is there such a thing as a secured email?
Is there really any chance of a security problem with sending that email??
It's a clear security lapse if you're giving him a login to the controls to launch all the world's nuclear missiles, since a malicious program on an intermediate server could intercept it along the way. Likewise the login itself is insecure as long as you're using an http:// instead of an https:// secure server, since a packet sniffer could intercept the data if it lies along the route from the ISP to the server. That doesn't stop 99% of sites from leaving well enough alone, though, because the odds are microscopic and the stakes very low.
Tell him not to use the same password for your site as he uses for financial institutions. The email part of this is addressed by default in that WSN Links doesn't email the user's current password unless you turn off password encoding.
Is there such a thing as a secured email?
There's no standard and few emails are sent securely since you don't know if the recipient will be able to read it. Not my area and I've never sent one but Thunderbird has an OpenPGP option which is supposed to do secure email.
I can't say I've ever heard of anyone having their emails or web form submissions stolen, it's one of those possible but highly improbable things. Worth worrying about for your bank, but not for a directory.
0/5
1
2
3
4
5
This thread is closed, so you cannot post a reply.
Comments on Email Security
Expert
Usergroup: Customer
Joined: Aug 19, 2005
Location: England
Total Topics: 391
Total Comments: 1303
There is always one <G>
Somebody who registered on one of my sites received their user name and password by email as per usual, but he said that sending an unsecured email containing both the user ID and Password in the same email is a clear security lapse.
I think his concern is that somebody will hack into his email and use this info. How possible is that? Is there such a thing as a secured email?
Is there really any chance of a security problem with sending that email??
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
It's a clear security lapse if you're giving him a login to the controls to launch all the world's nuclear missiles, since a malicious program on an intermediate server could intercept it along the way. Likewise the login itself is insecure as long as you're using an http:// instead of an https:// secure server, since a packet sniffer could intercept the data if it lies along the route from the ISP to the server. That doesn't stop 99% of sites from leaving well enough alone, though, because the odds are microscopic and the stakes very low.
Tell him not to use the same password for your site as he uses for financial institutions. The email part of this is addressed by default in that WSN Links doesn't email the user's current password unless you turn off password encoding.
Is there such a thing as a secured email?
There's no standard and few emails are sent securely since you don't know if the recipient will be able to read it. Not my area and I've never sent one but Thunderbird has an OpenPGP option which is supposed to do secure email.
I can't say I've ever heard of anyone having their emails or web form submissions stolen, it's one of those possible but highly improbable things. Worth worrying about for your bank, but not for a directory.